Insurers, Hospitals Urge HHS to Cut Biden-Era Cyber Rule Updates

Health entities are calling on the Department of Health and Human Services to clarify its health data privacy law and quash a Biden-era update to cyber rules aimed at strengthening compliance requirements for businesses.

Many provisions in the proposed cyber updates aren’t “operationally feasible and do not recognize the nuance and complexities of applying cyber protections in a complex health IT environment” and “drastically underestimate implementation costs,” the Federation of American Hospitals wrote in comments filed as part of a deregulation initiative announced in May by HHS.

“We urge HHS to withdraw the proposed rule,” the trade group representing 1,000 hospitals added, “and engage in a stakeholder process to develop a new approach for a cybersecurity regulatory framework.”

The deregulation effort gives businesses in the health sector a second chance to challenge the cyber rule updates that conglomerates such as UnitedHealth and Kaiser Permanente criticized at the time as “unnecessarily stringent.” Now, the health companies may find a friendlier audience under the Trump administration.

After a meeting with hospital CEOs earlier this year, HHS Secretary Robert F. Kennedy, Jr. said in April that health entities currently spend “the bulk of their resources on administrative costs,” and that he’s identifying ways to save “hundreds and hundreds of billions of dollars annually just by small, common sense rule changes.” The deregulation effort was announced a month later.

The comment period for the proposed Biden rule ended in March 2025, garnering more than 4,500 responses. There has been no rulemaking activity since then.

About 975 pharmaceutical companies, health insurers, clinics, health tech firms, and individual consumers answered the Health department’s call to weigh in on its rule-cutting effort by July 14. The deregulation plan was mandated by President Donald Trump’s February executive order that instructed agencies to review and shelve “unlawful regulations.”

Security Rule

Among the rules opposed by the health industry was Biden’s 2024 proposed update of the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The updates aimed to shore up the cyber defenses of the healthcare supply-chain after debilitating cyber attacks against UnitedHealth Group Inc. and its Change Healthcare Inc. subsidiary.

The proposed updates remove necessary flexibility, the American Academy of Family Physicians, which represents more than 128,000 doctors, wrote in its July 9 letter. Increasing requirements will expand physicians’ administrative burden, the group said, which “isn’t an effective way to improve the cybersecurity” of protected health information.

AHIP, the trade group representing health insurers, UnitedHealth, and the Cleveland Clinic shared similar concerns, warning that the rule adds time-consuming and “unnecessary documentation requirements” and “significant investments in financial resources and staff time.”

“The structure of the proposed rule would necessitate near-continuous document review and updating, resulting in cybersecurity professionals’ time being spent on paperwork instead of critical, proactive efforts to protect patients and their information from growing cyber threats,” AHIP wrote. The organization recommended against finalizing the rule without making significant structural revisions.

Others, like the American Hospital Association, a health-care trade group of nearly 5,000 hospitals and health providers, asked for the proposed requirements to be made voluntary.

The regulation, first announced in December, would be the first major update in two decades to the Security Rule. The update would also set up the agency for more active enforcement, targeting noncompliance in the industry that the Biden-era department said contributed to a spike in medical-related cybersecurity incidents this decade.

‘Reduce Legal Ambiguity’

Health-related businesses also took advantage of the deregulation initiative to call for the health agency to clarify HIPAA, remove barriers to AI innovation in the health sector, and push for a comprehensive federal data privacy law.

The National Small Business Association asked HHS to “consider ways to update HIPAA guidance that will provide clarity to small entities,” while the Blue Cross Blue Shield Association asked for revised definitions in HIPAA to “reduce legal ambiguity” and “support compliance.”

HHS said it took about 400 deregulatory actions during the first Trump administration, with plans to now “dramatically expand” its efforts.